Ansible with Kerberos Authentication

You are here:
← All Topics

Tutorial on how to configure Ansible with Kerberos Authentication for Remote Windows Server

Install pywinrm with kerberos

Install Phyton pywinrm with kerberos on Ansible Control Node

# Upgrade PIP to latest version
$ sudo pip3 install --upgrade pip

# Install Kerberos
$ sudo dnf install gcc python3-devel krb5-devel krb5-libs krb5-workstation

# Install pywinrm with kerberos with pip3
$ pip3 install pywinrm
$ pip3 install pywinrm[kerberos]

Kerberos Configuration File (krb5.conf)

Modify the following parameters in /etc/krb5.conf (Keberos Configuration File)

  • [realms] – Enter the AD Domain in CAPITAL LETTER and defined the FQDN of AD Domain Server
  • [domain_realm] – Map AD Domain
$ sudo nano /etc/krb5.conf

# Final working version of krb5.conf for reference
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = AVENTIS.LOCAL
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 AVENTIS.LOCAL = {
    kdc = aventis-ad01.aventis.local
    admin_server = aventis-ad01.aventis.local
 }

[domain_realm]
 .aventis.local = AVENTIS.LOCAL
 aventis.local = AVENTIS.LOCAL

Verify Kerberos Connection to Remote Windows Server

Verify Ansible Host is able to get Kerberos Ticket with kinit, klist & kdestroy

# Get a Keberos Ticket - AD Domain is in CAPITAL LETTER
$ kinit [email protected]
Password for [email protected]:

# List Kerberos Session
$ klist
Ticket cache: KCM:1000
Default principal: [email protected]

Valid starting       Expires              Service principal
11/01/2020 01:54:20  11/01/2020 11:54:20  krbtgt/[email protected]
        renew until 11/08/2020 01:54:15

# Destroy all Keberos connection 
$ kdestroy

Ansible Inventory File

Add the Remote Windows Host to the default ansible inventory file in /etc/ansible/hosts

$ sudo nano /etc/ansible/hosts

[winhost]
aventis-ad01.aventis.local

[winhost:vars]
ansible_user = [email protected]
ansible_password = [email protected][email protected]#$
ansible_connection = winrm
#ansible_port = 5985
ansible_winrm_transport = kerberos
ansible_winrm_server_cert_validation = ignore

uncomment the ansible_port = 5985 if WinRM HTTPS is NOT enable

Enable PowerShell Remote for HTTPS

Configure PowerShell Remote for HTTPS by following PowerShell Remoting for Non-Domain Workstation

Ad-Hoc Commands to veirify Ansible with Kerberos Authentication

Run some Ad-Hoc command, like win_ping to verify Ansible can connect to Remote Windows Server successfully

$ ansible winhost -m win_ping -vvvv
ansible 2.9.14
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module file /usr/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<aventis-ad01.aventis.local> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO aventis-ad01.aventis.local
calling kinit with subprocess for principal [email protected]
EXEC (via pipeline wrapper)
aventis-ad01.aventis.local | SUCCESS => {
    "changed": false,
    "invocation": {
        "module_args": {
            "data": "pong"
        }
    },
    "ping": "pong"
}

Run Windows Command using win_command on Remote Server

$ ansible winhost -m win_command -a "whoami" -vvvv

aventis-ad01.aventis.local | CHANGED | rc=0 >>
aventis\administrator

Contents

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top